OKE Workload Identity Authentication Fails with Node.js 22 (Native Fetch)

[doganyazar]

Summary

OKE Workload Identity authentication fails when using Node.js LTS versions (22+) due to incompatibility with Node.js's native fetch implementation. The SDK passes custom HTTPS agents through httpOptions, which are ignored by native fetch, causing TLS certificate validation to fail.

Environment

• Oracle TypeScript SDK: v2.120.0+
• Node.js: v22.x (any version using native fetch by default)
• Authentication: OKE Workload Identity
• Affected Service: Kubernetes Engine (OKE) Enhanced Clusters

Error Message

Error: Failed to call Proxymux, error: TypeError: fetch failed. 
Failed to get a RPST token from Proxymux.

Root Cause

The issue is in the X509FederationClientForOkeWorkloadIdentity class:

https://github.com/oracle/oci-typescript-sdk/blob/v2.121.0/lib/common/lib/auth/X509-federation-client-for-oke-workload-identity.ts#L113-L116

const httpOptions: { [key: string]: any } | undefined = {};
httpOptions.agent = new httpsAgent({
  ca: [...rootCertificates, this.kubernetesServiceAccountCert]
});

const httpClient = new FetchHttpClient(null, null, httpOptions);

The Problem: Node.js's native fetch() (default in Node.js 18+) does not support the agent option. This is a feature specific to the node-fetch npm package. As a result, the custom CA certificate required to validate the proxymux service certificate is ignored, causing TLS validation to fail.

The SDK uses isomorphic-fetch which relies on the environment's fetch implementation, but doesn't account for native fetch's lack of agent support.

Reproduction

1. Create OKE Enhanced cluster with Workload Identity enabled
2. Deploy pod with service account configured for OKE Workload Identity
3. Install Oracle TypeScript SDK v2.120.0 or later
4. Use Node.js 22 (or any Node.js version with native fetch as default)
5. Attempt to authenticate with OkeWorkloadIdentityAuthenticationDetailsProvider
6. Observe TLS certificate validation failure

Workaround

Setting NODE_OPTIONS='--no-experimental-fetch' forces Node.js to use the legacy fetch implementation where the agent option works:

NODE_OPTIONS='--no-experimental-fetch' node your-app.js

This workaround proves the SDK is incompatible with Node.js native fetch.

Expected Behavior

OKE Workload Identity should work with Node.js LTS versions without requiring workarounds or environment variable overrides.

Proposed Solution

Update the SDK to be compatible with Node.js native fetch.

Impact

• Scope: All OKE Workload Identity users on Node.js 18+
• Severity: Blocks production deployment with modern Node.js versions
• Workaround Available: Yes, but requires environment variable configuration

Related Issues

• Failed to get a RPST token from Proxymux #296 - Similar proxymux issue (resolved with --no-experimental-fetch)